Embed Size (px)
Citation preview
- 1 -
Handbook
Internet Privacy and Myths
Author: Christos Beretas, MSc
December 2013
Second Edition
- 2 -
About the Author
I am holder of Bachelors, Diploma, and Masters degree in the fields
of Networking / Telecommunications, Computer Programming, and
Technology Management, also i hold various certificates, i am
hardworking, conscientious, and diligent person who can be
characterized by strong character, i am mature and intelligent person
who has the academic background, the intellectual capabilities, and
the personal determination to pursue excellence in my
responsibilities, i am honest, fair, and positive person who aim high
and deserve to reach high. My focus areas are, researching, analyzing, evaluating,
build software solutions, secure computer networks, management information
systems, database and network administration, testing new programs to enhance the
information technology, social media networks, and the telecommunications systems
for every organization's global outreach efforts. My credentials speak loudly about my
ability to analyze the problem, design the solution and then implement it to a
successful conclusion.
As an honor graduate i am the uncommon person who has excelled in skilled
workmanship, dependability, leadership and academic achievement. My research
projects are respected internationally; also, i am member of Alpha Beta Kappa
National Honor Society, Alpha of Ohio, USA.
I hope you will enjoy reading my handbook, for more information about my self and
my software applications visit my official web site: http://www.christosberetas.com
Sincerely,
Christos Beretas, MSc
December 2013 – Second Edition
This handbook (Internet Privacy and Myths) is provided without any cost (FREE).
- 3 -
Table of Contents
Introduction to Web……………………………………….…………………...…
A. IP Address…………………………………………………..…………….
B. DNS……………………………………………………………...………..
C. MAC Address…………………………………………..…………………
Internet Service Provider (ISP…………………………………….....……………
Web Surfing and Scripting………………………………………………………..
A. Cookies……………………………………………...…………………….
Proxy Servers – Anonymous Proxy Servers……………………………………...
A. Keep Alive…….…………………………………………………………..
VPN……………………………………………………………………………….
Phishing…………………………………………………………...………………
A. Marketing Purposes……………………………………………………….
B. Illegal Avtivities……...…………………………………………..……….
Wi-Fi – Hot Spots…………………………………...……………………....…….
Wi-Fi Privacy Hole…………………………………...…..………………………
Intrusion Detection Software………………………………….…………………..
Vulnerability Scanners…………………………………………...……………….
Smart Phones and Geolocation…...…………………………………....………….
Smart Phone location through GPS………………………….……………………
KeyLogger and Privacy…………………………………………………...………
Recommending websites………...….………………………...…………..………
Sources……………………………….…………………………...………………
4
5
5
7
9
11
11
13
13
16
18
18
19
21
23
24
26
28
29
31
32
33
- 4 -
Introduction to Web
The Internet is a worldwide computer network that consists mainly of Servers,
Routers, Switches, other networking devices, and personal computers (picture 1 and
2).
Picture 1:
Picture 2:
- 5 -
As the Internet was spreading worldwide have created a standard for the smooth
functioning of the world, thereby excludes any incompatibilities. Every computer
connected to the Internet has a unique address called IP ADDRESS (Internet Protocol
Address), picture 3 and 4, every server, personal computer and every device that
connects to the network has a unique IP ADDRESS is either dynamic (the IP address
is assigned automatically by the Internet service provider (ISP)), or static (the IP
address is the same and never changes, after consultations between the client and the
internet service provider).
Picture 3:
Picture 4:
The static IP address is like I know someone always where reside because it is
permanent and never changes. But all this would not have any benefit if we do not had
the Domain Name Servers (D�S), DNS is an index which undertakes to translate a
domain name (for example, www.example.com to an IP address, for example
- 6 -
123.123.23.23 and vice versa), this way we are not obliged to remember always the
IP ADDRESS of each Web page (picture 5 and 6).
Picture 5:
Picture 6:
- 7 -
An IP address can reveal the country, city and even the home address of the user
(picture 7).
Picture 7:
Also worth mentioning here the MAC ADDRESS, which is a unique number and is
assigned by the manufacturer of the network adapter card, whether it is wireless or
wired. This number is unique for each network adapter card and does not change
(picture 8 and 9).
Picture 8:
- 8 -
Picture 9:
- 9 -
Internet Service Provider (ISP)
The Internet service providers create a history file for each of their users that is
updated each time the user makes any activity on the Internet, this file is named LOG
file and contains the IP address of the user, MAC ADDRESS, time, user name,
date, and duration that have been visit the Web page as well any connections to third
systems or networks (picture 1).
Picture 1:
New versions of software may provide more information. The Government and the
Internet Service Provider is given the possibility to request access to personnel file
(LOG file) so they can easily know who did what, where and when, especially when
involving illegal activities on the part of the user they are able to find very easily the
user from the IP address of the computer, or the MAC ADDRESS so by sending the
IP address of the computer's or the MAC ADDRESS to ISP asking who user had the
specified address the specific time, the ISP will check for the user who is logged on
- 10 -
the sepcific MAC ADDRESS, the ISP will respond with complete details of the user,
the information details which have the ISP about the user is from the internet
application which he/she made in one ISP to provide Internet connection.
- 11 -
Web Surfing and Scripting
Surfing on the Internet, many people claim that they have not been registered to
some online service, can not other people yet the companies and Governments to
learn about their personal interests. This is a myth which is unfounded and is already
collapsed. Companies, organizations and even Governments which engage in
electronic marketing (e-marketing) or not, use their special code on Web pages to
collect information from the user preferences, specifically this is accomplished
primarily through the use of cookies (picture 1).
Picture 1:
- 12 -
Certainly we all noticed and wondered how some days ago and while we looked for
something specific on the Internet, and today in the form of a banner on one of the
pages we visit which we had before some days informs us that today there is what we
looked before few days a go. It is worth noting that the cost of creating a profile for
each computer user is too small, the preferences and interests can be stored in a single
CD. Certainly we all have noticed that by visiting some of Web pages they show
information about the name of the operating system, the version of web browser we
use, what version of java is using our computer, the computer name, etc. this
information may simply have informative character for the user about who visits the
specific website, but cannot guarantee that the information is only informative and are
not intended to create an online profile for users who visit the particular Web page,
collecting whatever other information is freely available from the web browser or the
operating system of the computer. However, I must point out here that some web
pages applying the following 2 techniques, in addition using cookies, they use:
1. Code which during the loading of the Web page downloading files on the
user's hard disk in order to gathering info.
2. When the Web page is loading runs a special code that collects user
information.
Also when we surfing on Internet, the Internet Service Provider (ISP) is always know
what Web pages we have been visit as well as any other computer networks we have
been connected.
- 13 -
Proxy Servers – Anonymous Proxy Servers
By the use of a proxy server we can dispense the computer home or company
network, to connect through our ISP on a third Server (Proxy Server) from which this
server we will surf on the Internet and also to run various network applications, when
we connect through proxy server maybe the proxy server needs user authorization or
maybe is anonymous (not require user authorization), whatever website we visit
through proxy server recorded in log file of the web server which hosts the web page
we want to view the IP ADDRESS of the proxy server and not our real IP
ADDRESS of our network, in this way we can achieve a certain degree of anonymity
on the Internet (picture 1).
Picture 1:
The ISP that provides us Internet connection knows that we are connected to Proxy
Server but cannot know the activity we do after our connection to the proxy server,
our activity as well as the actual real IP ADDRESS of the computer and the activities
we do is recorded in the log file of the proxy server. The System Administrator who
manages the proxy server is able to know the full activities. If the proxy server is
claiming full anonymous, that means is KA (keep alive), (pictures 2 and 3) that
means is not recorded anywhere IP ADDRESS and there are not log files.
- 14 -
Picture 2:
Picture 3:
We cannot be sure for the following reasons:
1. There are anonymous proxy servers that appear as anonymous to attract
hackers for easy identification. This proxy servers they are monitored by
Governments and their services to prevent and detect electronic crimes.
2. There are anonymous proxy servers that belong to the companies,
organizations, a court can reveal the true identity of the user who logged on.
- 15 -
3. We are not in a position to know the actual features of one anonymous proxy
server, the policy applied by the system administrators, as well as the actual
level of anonymity.
4. We do not know if the proxy server keep log file that contains personal data
such as hostname, IP ADDRESS, MAC ADDRESS, etc.
- 16 -
VP%
A VP� network can provide important safety and anonymity because the data that
is transfering they are encrypted (pictures 1 and 2).
Picture 1:
Picture 2:
- 17 -
In a VP� network we can know which user connected where, but we don’t know
what data transferred, our ISP knows that we are connected to a VP�, but may not be
familiar with the data we have been transfer or we will transfer, our ISP only knows
that we connect to another network doesn't know beyond the activities with the VP�
network. Despite the significant safety and anonymity a VPN network, the following
points are hidden:
1. We do not know if VP� administrators have copies of data that we transfer.
2. We do not know if the data transfer to third parties organizations.
3. In the case of anonymous VP� network, we do not know if they are truly
anonymous, whether a court may compel the organization to give personal
information in this case means that the VP� organization keeping history.
4. Finally, we do not know if recorded info about our computer and our operating
system.
- 18 -
Phishing
With the help of technology and Internet personal users or organizations trying to
access as possible a user's personal data for two purposes:
1. For marketing purposes.
2. For illegal activities.
In the first case sent various e-mails which include links that clicking the user goes to
a site depending on the issue of the email and the content and ask from the user while
he/she is do click on the link which is included in the email to enter personal info or
register in other company services, etc (picture 1).
Picture 1:
You need to read necessary the terms of use and if the website is the original and is
legitimate before you enter personal info because your personal information, maybe
will be distributing to other people or organizations without your permission for
marketing or other illegal activities.
- 19 -
In the second case, someone sent fake e-mails that have altered the header from the
attacker, the user seem sent it by official source as a serious organization, a Bank, etc
(picture 2).
Picture 2:
then encourage the user to click on a link contained in the e-mail to give personal
information or to confirm his/her self in the system while the Web page being visited
by clicking the user is not the official organization from which it appears the e-mail
was sent, but it is a fake website which have caused some to collect personal
information, such as name, credit card numbers, passwords, names from e-mails, etc.
Usually not to suspect the candidate victims, they send an e-mail that appears to be
sent from an official source, changing the header of the e-mail to ensure the user will
be trust and open the email, when the user reply to this fake email, the email will be
sent to a different address, and not the fake address that has the email as the sender, so
they invite the candidate to respond to victims simply by e-mail by typing their
- 20 -
personal info inside of the email as text and reply. The answer to this type of violation
is blocking real e-mail address that sent the fake email (open the e-mail header),
blocking the e-mail address that they use for reply, and report spam. Never click on
this links or respond back to this kind of e-mails for an important reason, with the
answer we inform them that our email address is exist and used.
- 21 -
Wi-Fi – Hot Spots
The wireless internet without cables offer much more flexibility which is exciting
(picture 1).
Picture 1:
But it is not as exciting as it sounds because ultimately the risk of data theft is greater
than a wired network. An unlocked wireless router can access it by everyone detects
the network, giving the possibility to the attacker to have wireless access to the
network in conjunction with the wrong configuration of the computer can have access
locally if the remote computer connect wired with the wireless router. Some argue
that the free internet access via Wi-Fi hot spots offer anonymity and that can not be
detected because no one of users accising the network have give persona info,
whenever he/she wants to leave and go elsewhere, changing place regularly. This
myth has been collapsed for the following reasons:
- 22 -
1. In free access to the Internet (Wi-Fi hot spots) areas usually there are security
cameras, so the user is very easy to detect it.
2. Recorded on the wireless router or in another network device the computer
components, such as hostname, MAC ADDRESS, username, IP ADDRESS.
Etc.
When there is an illegal activity, the network administrator is able to know the above
elements of the second (2) case, it is easy to make a cross-checking of information
with the aid of the ISP, which will try to identify the MAC ADDRESS of the
computer with the already recorded MAC ADDRESSES of all ISPS in the country to
detect the attacker (picture 2).
Picture 2:
- 23 -
Wi-Fi Privacy Hole
The incredibly rapid of technological developments in wireless networking,
coupled with free wireless networks significantly decreased the level of security and
Internet Privacy, as I mentioned above, the free wireless networks are attracting more
and more computer users believing that Web surfing without anyone can detect them
because they have not been registsred in the system as users. In many areas of
wireless free Internet access there are cameras, but not at all points. On subsequent
rows I will describe a way you can with proper attention to browse the Internet
through a free wireless network anonymously by 99%.
1. Choosing a place where there are no cameras.
2. Change the computer name, changing user name, changing the geographical
location on the computer.
3. Disable the existing on board wireless network adapter card.
4. Clear history and cookies from your Web Browser.
5. Use external (USB) wireless network adapter card that it is not used again (so
that there is not somewhere else recorded the MAC ADDRESS).
6. Use of external (USB) wireless network adapter card to connect to the wireless
network for free.
7. The external (USB) wireless network adapter card will be used only for free
access and only to wireless networks.
- 24 -
Intrusion Detection Software
The intrusion detection is a smart software installed on systems that contain
sensitive data such as in Servers and its purpose is to monitor network activity or to
monitor the local system and log all the activities even to prevent unauthorized
attempts. Its purpose is to log the movements of an attacker that later to find who was
the attacker. Picture 1 below shows what the attacker sees when trying to access a
server that is installed the software Web ID (Intrusion Detection), this software is
developed by Christos Beretas. Web ID (Intrusion Detection) software send this
fake message to the attacker while the attacker is happy that find an un secure system,
while at the same time the Web ID (Intrusion Detection) monitoring the attacker as
you can see on the Picture 2.
Picture 1:
- 25 -
Picture 2:
- 26 -
Vulnerability Scanners
There are automated and non-automated scanning tools that they will promise to
find the most network or web site vulnerabilities. Some of them they are legal and
some of the are illegal, these ones which they are illegal they are for hacking
purposes, while the legal ones are for examine and preventing a hacking attack in one
company or organization because they give you the possibility to scan the entire
network or web site for possible vulnerabilities before someone else examine it (the
attacker). Keep on your mind some of those tools, even they are legal or illegal tools
to examine an network or a web site they should download the entire site at the local
hard disk (the attacker hard disk) for offline investigation and some of them they are
scanning for vulnerabilities on the fly. Never put sensitive data or other sensitive
information on the web server. Of course this kind of attack can be loged by using a
software like firewalls, IDs, web server log files, if you have read the previous pages
you already know it is still difficult to detect really who is the attacker. The “Blight
Tester –v10.0” is an automated vulnerability scanning tool which is developed by
Christos Beretas, this tool is able to detect almost any vulnerability on the fly. This
tool is only for legal purposes and to examine your own web server or web site for
vulnerabilities (read the license agreement before use it). See Picture 1 for its
graphical user interface (GUI).
- 27 -
Picture 1:
- 28 -
Smart Phones and Geolocation
Now a days everybody enjoying the use of smart phone and their applications, is
something amazing to have access to any service from a mobile device and using
services that before few years a go it was just a dream. Unfortunately, all this easiness
that smart phones offer they have some disadvantages, for example:
• Some applications they are not behave the same as they behave on
computer.
• They affecting from viruses, which sometimes they steal personal data
or use hidden services with high cost in money for the phone owner.
• Use applications through WI-FI or while on the go is insecure because
always exist the possibility someone else to steal information, always
should do “log out” after completion.
• Some applications they are using by default the “geolocation” service
that means while you are using the specific application is detected
your current location.
Really, is that bad the geolocation service when suing by default on some
applications? The answer is YES, because:
• Everyone known where you are located.
• Someone may steal your home because he/she is known where you are.
• You want to have personal moments.
• You don’t want someone else to make a “personal profile” about your
self regarding where are you going often and how long you stay there.
• Other people check you, where you are without your permission.
- 29 -
Smart Phone location through GPS
There are three ways to detect a smart phone location:
1. By using a radiogoniometer.
2. By using a GPS.
3. By using common cell phone data (without GPS).
In this chapter, I will examine the second option since this handbook base on
technologies which they have directs relationship with internet.
Disable your GPS service on your smart phone when you are not use it.
There are three ways of smart phone detection via GPS:
1. When a legal application is installed on the smart phone and posts the
location to a specific service.
2. When illegal software is installed on the smart phone and is post
somewhere the current location, thus the smart phone is always traceable.
3. When your smart phone have enabled the GPS service for some reason.
In the first case, a legal software application is installed on the smart phone, and posts
somewhere your current location or the smart phone respond on specific requests
regarding the phone location via GPS. This kind of applications are used when the
parents they want to know where they are their kids and install that type of
applications on their smart phones.
In the second case, an illegal software application is installed on the smart phone,
sometime without asking the smart phone owner if is agree or not for the installation,
and send the smart phone location owner to un known servers, including some times
other personal data that is collect from the affected smart phone. Usually this kind of
applications they are running as “stealth mode”, because the smart phone owner
- 30 -
should not understand that this kind of software is installed and running on the smart
phone.
In the third case, some smart phones by default they have active the GPS service,
either some application keep it open or the smart phone operating system when it is
loading activate the GPS service. But, how someone may find the smart phone
location? The answer is following, if a smart phone has enabled the GPS service, by
sending data from satellites to the smart phone, at this point it is easy to detect on a
digital map the smart phone location, as many satellites send data to the smart phone
via GPS service is easier to detect the accurate smart phone location.
In the picture 1 below is show how easy is to detect a device which support the GPS
service.
Picture 1:
- 31 -
KeyLogger and Privacy
When we sound the word “KeyLogger” is equal to word “break privacy”, a key
logger software is the software which is installed on a computer and its purpose is to
record each character, number, including any phrase is typed by the keyboard and
recorded in log files. Then these data’s are sending to the key logger developer by
email or other messaging service, usually this kind of software is installed without the
user permission and is running as “stealth mode”. This software can be used
everywhere, including in academia and in work places, some times this software is
installed on computers that they use the employees of a company because the
employers they should be sure their employees they are working or just browsing on
internet. The legal way is only when for example a company known about the
existence of this software on their systems and its purpose is only for tracking their
employees if they are working or no and only for the company purposes, the illegal
way is to install that kind of software without the user permission usually by the
purpose to track the user personal life. Also, key loggers can be embedded in spyware
thus make easy the information will transmitted in unknown third party. Undoubtedly,
key loggers violate the user personal life and the privacy. In Picture 1 below you can
see the key logger log file.
Picture 1:
- 32 -
Recommending websites
I am recommending some useful websites here that you can download usefull and
freeware software applications that will help to do many tasks, but also you can keep
learning more about information technology and cyber security.
1. http://www.christosberetas.com
2. http://www.softpedia.com/progMoreBy/Publisher-Christos-Beretas-
86397.html
3. http://twitter.com/c_beretas
4. http://independent.academia.edu/ChristosBeretas
5. http://www.itf.dom.gr
6. http://www.scribd.com/christosberetas
For those who have Linkedin, and they are interesting to connect with Christos
Beretas, they can visit his profile below:
• http://gr.linkedin.com/in/christosberetas
- 33 -
Sources
Internet Service Provider (ISP) <http://www.webopedia.com>
Internet Service Provider Secrets <http://www.www.scribd.com>
Secret Surfing < http://networking.answers.com>
MAC Spoofing < http://en.wikipedia.org>
Phishing < http://en.wikipedia.org>
Phishing (Create Phishing Page) < http://www.hackalone.com>
Hacking VP� Connections < http://www.spamlaws.com>
Wi-Fi Security Software < http://www.hotspotshield.com>
Wi-Fi Security < http://www.nowiressecurity.com>
Christos Beretas Software <http://www.christosberetas.com>
Intrusion Detection <http://netsecurity.about.com>
Smart Phones and Geolocation <http://www.pewinternet.org>
Smart Phone Detection <http://www.pcworld.com>
Key Loggers <http://compnetworking.about.com>
